ZAP is now Checkmarx

[jgadsden]

Describe what change you would like :
ZAP is now owned by Checkmarx and is in their portfolio, and we should not be seen to endorse one company's products and not another company's products. It is probably easier to remove the section on ZAP

See the Checkmarx press release for what will be available to Checkmarx customers and what will remain available for the ZAP community

Context :
Section: 08-verification/02-tools/01-zap.md

[sydseter]

Yes, these pages are wrong as well: https://owasp.org/www-project-devsecops-guideline/latest/02b-Dynamic-Application-Security-Testing

[sydseter]

https://github.com/OWASP/www-project-devsecops-guideline/issues/32

[sydseter]

There is a page at the www-community project that seems much more complete regarding DAST: https://owasp.org/www-community/Vulnerability_Scanning_Tools

[sydseter]

Perhaps there could be a page about DAST tools in general in stead?

[jgadsden]

yes, I agree @sydseter - do you want to write this or I can do it ? I am always happy for all contributions :)

[sydseter]

Ok, fine, challenge excepted.

[psiinon]

As I mentioned on https://github.com/OWASP/www-community/issues/1001 ZAP is NOT owned by Checkmarx :) I've explained that in https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ The 3 ZAP project leaders are employed by Checkmarx. But the rights to ZAP remain with the ZAP Core Team and ZAP is staying OSS.

[psiinon]

Paid for ZAP features? Thats news to me! Checkmarx do build a commercial product on top of ZAP, but so do lots of other companies: https://www.zaproxy.org/third-party-services/

Please check with the ZAP team before spreading disinformation. ZAP is staying OSS, there will NOT be any paid for features in ZAP.

[sydseter]

It might be better to refer to a full list of tools instead of just the zap proxy since there are several owasp projects that strive to do DAST.

Good to see that the core of zap is going to remain free.

[psiinon]

That makes sence to me

[sydseter]

@jgadsden Should we close this and instead focus on what has been concluded?

[kingthorin]

there are several owasp projects that strive to do DAST.

There are? Like what?

[sydseter]

I understood it like this: ZAP is staying OSS, but due to there being several OWASP related tools that focus on DAST, instead of having a ZAP tools page, add a document describing DAST and a link to a list where you can pick and choose. Then, for the future, focus on giving some guidance on DAST as a tool.

[kingthorin]

but due to there being several OWASP related tools that focus on DAST

That's news to me, what are these other OWASP DAST projects?

[psiinon]

TBH I'm not aware of any, or none that are active. All of the OSS web scanners I know about are listed on https://github.com/psiinon/open-source-web-scanners LMK if I'm missing any...

[sydseter]

Not scanners per-say, but there are several that use ZAP under the hood to achieve the same goal. Nice list @psiinon !

[psiinon]

Thats because developing and maintaining a DAST scanner takes a LOT of effort 😉

[sydseter]

I wouldn't doubt that even for a second.

[jgadsden]

@psiinon and @kingthorin , at the risk of incurring the Wrath of ZAP , I am only going by what the the Checkmarx press release says:

Checkmarx customers will gain:

Enhanced engine development, ensuring that customers benefit from the most secure, optimized and up-to-date solutions. The combined team will expand and enhance ZAP with innovative new features so that it can be leveraged both alone and within Checkmarx DAST

so to me that sounds like paid for features.

[kingthorin]

"...alone and within..."

Alone being ZAP OpenSource 👍

[sydseter]

If we look past that discussion. I am guessing the best documentation on ZAP will always be provided by zap, at any given time. And, given that we want to strive to be as agnostic as possible regarding the use of tools and technologies, perhaps there shouldn't be a individual page about zap anyway. Wouldn't a page on dast instead of zap anyway be an improvement?

[kingthorin]

the best documentation on ZAP will always be provided by zap

Yes, in the vast majority of cases that should be true.

As for a generic page, yes that probably makes most sense for OWASP and this guide.

Edit: For the record it is a good and important discussion: If a few people have thee wrong info or perception then it's likely others do too, so having these talks and clearing things up so the message spreads correctly is important.

[jgadsden]

Yes, I agree that the Checkmarx press release clearly does state that paid for customers will get enhanced ZAP features not available to the ZAP community members, and that these new ZAP features will also be used in the existing Checkmarx DAST CxOne product If this is not the case then it should be corrected by Checkmarx, but until then we have to take them at their word

It is not an easy decision to remove the ZAP section from the Developer Guide, after all we are all ZAP users to the core :)

[psiinon]

Those features will be in Checkmax DAST, which is a commercial tool built on top of ZAP. Yes, we will almost certainly be involved in developing them. They will not be commercial ZAP features. Maybe the press release could have been clearer, but its a press release, its been released and so it will not be updated. All of the ZAP project leaders are here on this ticket. We're all Checkmarx employees (or will be in one case). We are telling you quite clearly that any commertial features built on top of ZAP will be in Checkmarx DAST and not in ZAP.

[jgadsden]

yes, apologies @thc202 I now see what you are saying - the issue description is misleading I have altered it so that it is more clear